Can't ping devices in a LAN over WireGuard tunnel

dospi · November 21, 2024, 10:09am

Hi everyone,

I’m trying to set up a WireGuard tunnel between two Mikrotiks at different sites, but I’m encountering a connectivity issue. I’ve created a diagram to illustrate the current setup:

Problem Description:

From the Laptop at Site A, I can successfully ping the WireGuard IP at Site B: 10.230.10.2.
However:
I cannot ping 192.168.50.250 (Site B) from the Laptop at Site A.
I also cannot ping 192.168.50.250 from the Mikrotik at Site A using:
ping 192.168.50.250 src-address=172.16.0.254
I suspect I’m missing something in the configuration, but I can’t figure out what it is.

What I’ve Tried:

Verified that routes for the 192.168.50.0/24 network are correctly set up.
Checked firewall rules to ensure traffic between the 172.16.0.0/24 and 192.168.50.0/24 networks is allowed.
Confirmed that the WireGuard peers are configured with the correct allowed addresses.
Attached Exports:

Export of Site A configuration:

/interface bridge
add name=Bridge_Lan port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
/interface wireguard
add listen-port=53231 mtu=1300 name=wgPolar
/interface vlan
add interface=ether1 name=vlan_pepehone vlan-id=20
/interface list
add name=WAN
/ip pool
add name=dhcp_pool_BridgeLAN ranges=172.16.0.20-172.16.0.100
/ip dhcp-server
add address-pool=dhcp_pool_BridgeLAN interface=Bridge_Lan name=dhcp1
/interface bridge port
add bridge=Bridge_Lan interface=ether2 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether3 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether4 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether6 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether7 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether8 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=sfp-sfpplus1 internal-path-cost=10 path-cost=\
    10
add bridge=Bridge_Lan interface=sfp-sfpplus2 internal-path-cost=10 path-cost=\
    10
add bridge=Bridge_Lan interface=ether9 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether10 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether11 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether12 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether13 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether14 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether15 internal-path-cost=10 path-cost=10
add bridge=Bridge_Lan interface=ether16 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface list member
add interface=ether1 list=WAN
add interface=vlan_pepehone list=WAN

/interface wireguard peers
add allowed-address=10.0.10.0/24,10.230.10.2/24,192.168.50.0/24 comment=\
    Polar_B interface=wgPolar name=PolarPeer persistent-keepalive=25s \
    public-key="xxxxx"
/ip address
add address=172.16.0.254/24 interface=Bridge_Lan network=172.16.0.0
add address=10.230.10.1/24 interface=wgPolar network=10.230.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=ether1
add interface=vlan_pepehone
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.254 gateway=172.16.0.254
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=\
    172.16.0.0/24
add action=accept chain=forward dst-address=172.16.0.0/24 in-interface=\
    wgPolar
add action=accept chain=forward dst-address=172.16.0.0/24 out-interface=\
    wgPolar
add action=accept chain=forward dst-address=172.16.0.0/24 out-interface=\
    Bridge_Lan
add action=accept chain=forward dst-address=172.16.0.2
add action=accept chain=forward dst-address=172.16.0.250
add action=accept chain=forward dst-address=172.16.0.4
add action=accept chain=input comment="Regles Basiques protecci\F3 INPUT" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=forward comment="Regles Basiques protecci\F3 FORWARD" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=output comment="Regles Basiques protecci\F3 OUTPUT" \
    connection-state=established,related
add action=drop chain=output connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.50.0/24 log=yes \
    src-address=172.16.0.0/24
add action=accept chain=srcnat dst-address=10.0.10.0/24 log=yes src-address=\
    172.16.0.0/24
add action=masquerade chain=srcnat comment="NAT LAN Interna"
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=172.16.0.0/24 \
    src-address=10.1.0.0/24
add action=notrack chain=prerouting disabled=yes dst-address=10.1.0.0/24 \
    src-address=172.16.0.0/24
add action=accept chain=prerouting disabled=yes in-interface=vlan_pepehone \
    src-address=10.10.0.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=wgPolar \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=5
add disabled=no distance=1 dst-address=10.0.10.0/24 gateway=wgPolar \
    routing-table=main scope=10 suppress-hw-offload=no target-scope=5

Export of Site B configuration:

/interface ethernet
set [ find default-name=ether1 ] mtu=1400
set [ find default-name=ether2 ] disable-running-check=no mtu=1400
/interface wireguard
add listen-port=53231 mtu=1300 name=wgPolar_B
add disabled=yes listen-port=13231 mtu=1300 name=wireguard1
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=172.16.0.0/24,10.230.10.1/32,192.168.50.0/24 endpoint-address=213.195.101.31 endpoint-port=53231 interface=wgPolar_B name=PolarPeer persistent-keepalive=25s \
    public-key="xxxxxxx="
/ip address
add address=10.0.10.253/24 interface=ether2 network=10.0.10.0
add address=10.230.10.2/24 interface=wgPolar_B network=10.230.10.0
/ip dhcp-client
add interface=ether1
add disabled=yes interface=ether2
add disabled=yes interface=ether2
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward dst-address=192.168.50.0/24 src-address=172.16.0.0/24
add action=accept chain=forward dst-address=172.16.0.0/24 src-address=192.168.50.0/24
add action=accept chain=forward comment="Regles Basiques protecci\F3 FORWARD" connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Regles Basiques protecci\F3 INPUT" connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=output comment="Regles Basiques protecci\F3 OUTPUT" connection-state=established,related
add action=drop chain=output connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.50.0/24 src-address=172.16.0.0/24
add action=accept chain=srcnat dst-address=172.16.0.0/24 src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment="NAT LAN Interna"
/ip route
add disabled=no dst-address=172.16.0.0/24 gateway=wgPolar_B routing-table=main suppress-hw-offload=no

Does anyone have an idea of what might be missing? Any help would be greatly appreciated!

anav · November 21, 2024, 2:26pm

The listening port on the wireguard interface does not have to match the endpoint of the server router, there is no direct correlation.
192.168.50 is a local subnet, allowed addresses is for REMOTE addresses (those local user may have as dst address, or that may be coming into the local router from remote sites )
We use the subnet address for wireguard, which enables all wireguard users ( controlled by local firewall rules) to gain access to site B → think you as admin on the road with a laptop .
Your diagram is CONFUSING and maybe wrong.

It looks like the MT at Site B is not accessing the pUBLIC IP directly as that is handled at the data center. The data center has a public IP, the MT at side B does not.
Thus I have to assume MT gets a WANIP from the LAN at Data center 192.168.50.X.
THus its wrong to give MT a LAN on same subnet, it would be different etc..

So its wrong or you have not provided sufficient detail to explain what is going on here.

Using dhcp client… is data center not giving you a static private IP?
Keep wireguard MTU the same at both ends, and stick with default 1420.
If necessary add a mangle rule to handle MTU on site B.

SITE B

/interface wireguard
add listen-port=24231 mtu=1420 name=wgPolar_B

/interface wireguard peers
add allowed-address=172.16.0.0/24,10.230**.10.0/24** endpoint-address=213.195.101.31 endpoint-port=53231 interface=wgPolar_B name=PolarPeer persistent-keepalive=25s
public-key=“xxxxxxx=”
/ip address
add address=10.0.10.253/24 interface=ether2 network=10.0.10.0
add address=10.230.10.2/24 interface=wgPolar_B network=10.230.10.0

CANNOT address anything more until SITE B is sorted for TRUTH.

anav · November 21, 2024, 3:02pm

1 Persistent Keep alive is not required at SITE A wireguard. THe client for handshake requires it, not the server at handshake.
2.Normally client (for handshake) peer devices usually more than one, are identified by singular IP address ..
3. ONLY one dhcp client interface is valid, I suspect its the vlan one so remove the ether1 entry…
4. Forget output rules
5. Forget raw rules
6. Only one source nat rule is required the default one.

SITE A:

/interface wireguard
add listen-port=53231 mtu=1420 name=wgPolar

/interface list
add name=WAN
add name=LAN

/interface list member
add interface=ether1 list=WAN
add interface=vlan_pepehone list=WAN
add interface=Bridge_Lan list=LAN
add interface=wgPolar list=LAN

/interface wireguard peers
add allowed-address=10.0.10.0/24,10.230.10.2**/32**,192.168.50.0/24 comment=
Polar_B interface=wgPolar name=PolarPeer
public-key=“xxxxx”

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment-=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Local users to wireguard” src-address=172.16.0.0/24 out-interface=wgPolar
add action=accept chain=forward comment=“remote users to LAN” in-interface=wgPolar src-address=10.0.10.0/24 dst-address=172.16.0.0/24
add action=accept chain=forward comment=“admin users to LAN” in-interface=wgPolar src-address-list=AUTHORIZED
add action=drop chain=forward comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wireguard handshake” dst-port=53231
add action=accept chain=input comment=“admin access” src-address-list=AUTHORIZED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { put this rule in last }

/ip firewall address-list { Do this before firewall rule changes }
add address=172.16.0.X list=AUTHORIZED comment=“admin local pc”
add address=172.16.0.Y list=AUTHORIZED comment=“admin local wifi”
etc.
add address=10.230.10.A list=AUTHORIZED comment=“remote admin laptop”
add address=10.230.10.B list=AUTHORIZED comment=“remote admin smartphone”
etc.
add address=10.0.10.E list=AUTHORIZED comment=“admin while at site B local PC”
add address=10.0.10.F list=AUTHORIZED comment=“admin while at site B local WIFI”
etc.
/ip firewall nat
add action=accept chain=srcnat out-interface-list=WAN

abbio90 · November 22, 2024, 6:54am

If 192.168.50.0/24 is the uplink of router B, I would say that you should set this rule on it

/ip firewall nat add chain=srcnat dst-address=192.168.50.0/24 action=masquerade